Secure Document Destruction: Rethinking Paper and Privacy

Did you know that paper documents can cause a data breach? With the term “data breach” typically being associated with the mishandling of electronic records, paper privacy, and secure document destruction have become an afterthought.

However, paper documents still play an active role in the business setting – and when they’re improperly disposed of – can result in costly breaches.

The Myth of the “Paperless” Office

Despite the push for organizations to become “paperless,” a surprising number of employees still rely on the paper realm for their core business functions. 44.23% of employees use paper in their position daily, with only two percent stating they never use paper.

In the legal, accounting, and HR environments, paper is a common denominator in administrative and record-keeping processes. Today’s financial firms have automated transaction processes, yet hard-copies are often trusted over digital files when significant investments and agreements are made. Additionally, 90% of healthcare providers utilize paper and manual methods in their patient collections.

Not only do physical files contain personally identifiable information (PII), but organizations are exposed to the risk of a breach if documents are not correctly stored or securely shredded. According to a recent report, paper and film-based records, rather than electronic records, comprised 65% of hospital data breaches.

Privacy of Consumer Information

With the rise of identity theft in the information age, various statutory requirements and laws have been formed to ensure the confidentiality of personal information. These regulations govern how long paper records must be stored and how to dispose of them securely.

Noncompliance with destruction regulations can result in severe consequences, including hefty fines and damages. So how can you ensure that you’re up-to-date with the latest privacy and destruction laws? Here’s our privacy protection guide to get you started.

Guide to Data Privacy Laws

General Data Protection Rule (GDPR)

On May 25, 2018, the EU’s data privacy regulation, GDPR, came into force. GDPR applies to organizations operating within the EU, along with businesses outside of the EU that provide products or services to consumers or companies in the EU.

Under the terms of GDPR, organizations must ensure personal data is gathered legally, protect the misuse of it, and respect the rights of data owners. One of the key takeaways from the GDPR rules is that companies must take a far more proactive approach to prevent data breaches through the secure storage and deletion of information. Paper copies containing data that are kept and not securely destroyed can become a significant GDPR compliance issue.

GDPR violators may face fines of 20 million Euros ($22.6 million US dollars) or 4% of your annual income for noncompliance.

FACTA  Disposal Rule (Fair and Accurate Credit Transactions Act)

The Fair and Accurate Credit Transactions Act (FACTA) is federal legislation aimed at the prevention and penalization of consumer fraud and identity theft. Administered by the Federal Trade Commission (FTC), the FACTA Disposal Rule has been in effect since June 1, 2005.

The Disposal Rule outlines reasonable measures for disposing of consumer report information to prevent unauthorized access and misuse of it. Disposal actions may include instituting policies to “burn, pulverize, or shred papers containing consumer report information” or “conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information.”

Failure to comply with the Disposal Rule can result in severe penalties ranging from 1,000 to $2,500 for each violation.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act was established in 1999 and requires financial institutions to disclose how they share and protect their customers’ information. GLBA identifies protected information as “nonpublic personal information” or “NPI.” Examples of NPI include drivers licenses, social security numbers, insurance information, and loan statements.

Although the GLBA provides flexibility for institutions to scale security solutions that align with their business size and complexity of operations, compliance should not be dismissed. Institutions can be subject to a civil penalty of $100,000 per violation. Additionally, company officers and directors can be fined and receive up to five years of imprisonment.

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act (SOX) requires publicly held companies to establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud. SOX was formed in response to the early 2000s’ high profile corporate financial scandals, imposing more stringent recordkeeping requirements.

Under SOX, records are considered any materials that consist of information about the organization’s plans, policies, results, or performance. To comply with SOX, organizations must save all business records, including both paper and electronic documents, for no less than five years. Depending on the nature of the files, the timeframe to maintain and retain them may be longer.

When it comes to the end of a document’s retention period, it’s extremely important for companies covered under the SOX Act to safely destroy their data to ensure information cannot be accessed or reconstructed. The secure document destruction of records is considered best practice. Consequences for SOX noncompliance may include fines or imprisonment, or in some cases, both.

Health Insurance Portability and Accountability Act (HIPAA) of 1996

The HIPAA Privacy Rule institutes national standards to safeguard individuals’ medical records and other personal health information (PHI). It covers all forms of PHI, including film, electronic information, and paper records.

Underneath HIPAA, covered entities must implement safeguards to avoid the misuse or disclosure of PHI, including the disposal of it. Thus, “covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

HIPAA fines are costly. They range from $100 to $50,000 per record or violation, with a maximum fine of $1.5 million per year for each violation.

The Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student and parent information. When FERPA was first enacted in 1974, it primarily addressed the improper disposal of files in the physical realm. However, the destruction of digital documents is outlined in new provisions.

FERPA requires that a mandatory destruction date is set for nearly all confidential information involving a student (excluding some academic data). While courts have routinely held that FERPA does not provide a private right of action against educational institutions, complaints may be filed with the Department of Education.

FERPA noncompliance may result in the forfeit of federal funding or monetary damages for improper disposal at the state level.

While this guide provides an overview of the most referenced data privacy laws, it’s always recommended to seek legal counsel to ensure compliance with regulations that apply to your specific business and industry.

Secure Document Destruction: Paper and Privacy

As companies shift from paper-dependent processes to digitization, it’s essential not to overlook the security of paper documents. It’s highly recommended that business owners stay updated with privacy regulations and best practices for document destruction, whether physical or electronic files.

Secure document destruction of records that have reached their retention period minimizes the chances of critical business information falling into the wrong hands. By contracting with shredding services vendor that adheres to best practices for securely destroying your data, your business can avoid hefty fines and preserve confidential information.